Microsoft device helps police pluck evidence

[exit]

By Benjamin J. Romano

Seattle Times technology reporter

http://seattletimes.nwsource.com/html/micr..._msftlaw29.html

Microsoft has developed a small plug-in device that investigators can use to quickly extract forensic data from computers that may have been used in crimes.

The COFEE, which stands for Computer Online Forensic Evidence Extractor, is a USB "thumb drive" that was quietly distributed to a handful of law-enforcement agencies last June. Microsoft General Counsel Brad Smith described its use to the 350 law-enforcement experts attending a company conference Monday.

The device contains 150 commands that can dramatically cut the time it takes to gather digital evidence, which is becoming more important in real-world crime, as well as cybercrime. It can decrypt passwords and analyze a computer's Internet activity, as well as data stored in the computer.

It also eliminates the need to seize a computer itself, which typically involves disconnecting from a network, turning off the power and potentially losing data. Instead, the investigator can scan for evidence on site.

[goji]

-tin foil hat alert-

*runs to clear pr0n collection*

[Doli]

Scary if the software on the usb drive finds it way online for everyone to use.

[trashpickinman]

Update: Via email, a Microsoft spokeswoman said COFEE is a compilation of publicly available forensics tools, such as "password security auditing technologies" used to access information "on a live Windows system." She cited rainbow tables as an example of other such tools, and "was NOT confirming that COFEE includes Rainbow Tables."

It "does not circumvent Windows Vista BitLocker encryption or undermine any protections in Windows through secret 'backdoors' or other undocumented means."

Further, she reiterated that the tool is intended for use "by law enforcement only with proper legal authority."

Another update: This from Tim Cranton, associate general counsel at Microsoft: "The key to COFEE is not new forensic tools, but rather the creation of an easy to use, automated forensic tool at the scene. It's the ease of use, speed, and consistency of evidence extraction that is key."

From: http://blog.seattletimes.nwsource.com/tech...fee_device.html

Without a detailed list of included software, I'd say some of us already have some of the individual programs.

[Doli]

^^ Yes but if its labled nicely with instructions on bittorrent I can see more people who know next to nothing about stuff like that using it instead of spending the time looking. Like a scary hack pack for normal Joes.

[Snakehn]

Where's the torrent at? i want it LOL

[dazzle71]

"Further, she reiterated that the tool is intended for use "by law enforcement only with proper legal authority." "

Problem is though, most law enforcement with proper legal authority wouldn't know how to use the programs without the aid of a Micro$oft tech, let alone know how to boot from USB.

I mean hey, here in OZ the ecilops get warrants to seize hard drives, but instead take the whole PC. Every case can be thrown out of court on that alone.

Just how much does the average cop know about computers anyway?

and sooner or later someone will come out with DECAF.

[Miuku.]

No backdoors in Windows? Yeah sure - I believe that.

[markwolfe Veteran]

Sounds a lot like they are using the Helix version of a Knoppix LiveCD.

Errrr... only Windows-based, for what that's worth.

[Nashy]

"Further, she reiterated that the tool is intended for use "by law enforcement only with proper legal authority." "

Problem is though, most law enforcement with proper legal authority wouldn't know how to use the programs without the aid of a Micro$oft tech, let alone know how to boot from USB.

I mean hey, here in OZ the ecilops get warrants to seize hard drives, but instead take the whole PC. Every case can be thrown out of court on that alone.

Just how much does the average cop know about computers anyway?

and sooner or later someone will come out with DECAF.

Got an example for that one there champ? Think you might be talking out the hole in your backside to be honest.

[4CxbqFxVnstmA Veteran]

This sort of news always scares me, probably too much lol :p . Not that I have anything bad on my computer (seriously).

It's more the possibility for abuse by criminals that make these things scary. Microsoft always say they are worried about computer security (their top priority?). But giving these tools to police is asking for trouble because you know that criminals will get these tools sooner or later. Plus the fact that this has gone on for nearly a year and is only now being made public lessens trust in Microsoft. What else about Windows don't we know about?

This is one reason I like Linux, though I am not saying anything bad about Windows or anything (seriously, Windows is cool). It's just that with open source software, you can see the source and know what it is doing. Not that I have that skill, but I feel safer using code that is open for inspection and has 'lots of eyes' constantly monitoring it.

[funkymunky]

Isn't this just a modified USB Switchblade tool???

[4CxbqFxVnstmA Veteran]

Isn't this just a modified USB Switchblade tool???

This is what I have read: this is a USB with software on it that can be inserted into a running Windows machine. It automatically bypasses security and begins downloading data, including from RAM, off the machine. You don't need to reboot the machine for this to work at all. You don't need Admin privileges either. It just works automatically when inserted. This leads me to think that Windows itself must be coded to respond automatically to the software on this USB by dropping its security. If this is not a 'backdoor' then I don't know what is.

The question remains: does this affect MS encrypted files? Microsoft say 'no' but I am suspicious because it would be of significantly less use as a tool to police if it couldn't decrypt files, given that their targets (criminals of various types) would probably encrypt their files. I mean, if they make a 'backdoor' for all other aspects of the security of Windows systems, then why not let it decrypt as well?

[Lt-DavidW]

This is what I have read: this is a USB with software on it that can be inserted into a running Windows machine. It automatically bypasses security and begins downloading data, including from RAM, off the machine. You don't need to reboot the machine for this to work at all. You don't need Admin privileges either. It just works automatically when inserted. This leads me to think that Windows itself must be coded to respond automatically to the software on this USB by dropping its security. If this is not a 'backdoor' then I don't know what is.

However Microsoft try to put it, Windows is executing software on a USB drive without user intervention. This is either a) intentional or b) not.

a) If it's deliberate then it's a major breach of security and trust, a 'backdoor' like you say.

b) If it's not intentional then it must be a major Windows flaw which Microsoft are not going to fix and are actually promoting.

Either way, foul play!

[funkymunky]

No with the Switchblade I've been "researching" it works with the U3 software of the U3 USB drives.

No user interaction

I put it in my test machine and downloads all passwords etc.

You can integrate a lot of software into it, such as a memory dumper etc.

This requires no backdoors

[Lt-DavidW]

No with the Switchblade I've been "researching" it works with the U3 software of the U3 USB drives.

No user interaction

I put it in my test machine and downloads all passwords etc.

You can integrate a lot of software into it, such as a memory dumper etc.

This requires no backdoors

Then it's b) a major Windows flaw which Microsoft are not going to fix and are actually promoting.

[funkymunky]

The method I've been using can be deactivated and made null by turning "autoplay" off